Results 1 to 9 of 9

Thread: Ettercap kills internet connection

  1. #1
    Just burned his ISO
    Join Date
    Jun 2008
    Posts
    4

    Default Ettercap kills internet connection

    I'm having some troubles with ettercap.

    I'm running BT2 inside VMware server 1.05, and was able to get ettercap up and running with a bit of mucking about. Any websites that used SSL popped up with a confirm box, and if you hit yes it captured the password. In fact it seemed to be working a little too well where everyone in the host list (only one computer was added to the right column target list) was getting popups for certificates, even though the target computer was the only one being recorded. Once I removed everyone from the host list but the target computer it all seemed to work fine. I had a nice little list of certificates being collected.

    Today though upon booting up I can’t get it to work for the life of me. Every time I turn on ARP poisoning my internet slows to a crawl. If I then go to a site that has an SSL certificate, my internet drops out. I have to shut down ettercap and disconnect and reconnect the target machine to the network. One the one occasion I was able to capture a certificate, it had an X next to it in the profiles tab, but no IP address.

    Now, some details:
    1) Wireshark still works fine in promiscuous mode
    2) I’ve edited the comments out in the etter.conf file
    3) Thinking that it was having troubles sending files back to the router, I added the virtual machine IP to the DHCP list on the router.
    4) I am currently using my host machine (the one running the virtual server) as the target machine as xxx.xxx.xxx.111, and the virtual server as the attacker as 112. Could this be causing problems trying to ARP attack myself from the same machine? It seemed to be working fine yesterday.

    So I’m out of ideas. Why would turning on ARP poisoning kill my whole internet? Why wouldn’t it be recording certificates anymore? What could have changed since yesterday?

  2. #2
    Junior Member drwalter's Avatar
    Join Date
    Mar 2008
    Posts
    88

    Red face

    I take it you're using the gui... make sure you "start sniffing" otherwise the arp requests are like roaches in the roach motel they come in(to your computer) but never leave(to the other computers). Kinda defeats the purpose of "man in the middle"
    ================================================== ===
    Dr. Walter - Depraved linguist, Benevolent troublemaker extraordinaire
    ================================================== ===

  3. #3
    Just burned his ISO
    Join Date
    Jun 2008
    Posts
    4

    Default

    Nice analogy =D

    I've got sniffing turned on, but it seems to have the same problem.

    It seems to be getting worse though, as now Wireshark doesn't seem to be capturing packets in promiscuous mode (the only thing it picks up is the router sending a message checking the IP of the target machine). I'm sure this was all working fine yesterday =/

    Would this have anything to do with port forwarding? It was all I could find on the net but I'm not sure what to do with it.

  4. #4
    Junior Member drwalter's Avatar
    Join Date
    Mar 2008
    Posts
    88

    Default

    Port Forwarding is for machines outside your lan to connect to specific computers/ports within your lan so that wouldn't be the issue. Try specifying the gateway as target one and a victim as target two to see if that works. If that fails use the command line to see if the same problem it occurs.
    ================================================== ===
    Dr. Walter - Depraved linguist, Benevolent troublemaker extraordinaire
    ================================================== ===

  5. #5
    Just burned his ISO
    Join Date
    Jun 2008
    Posts
    4

    Default

    Mmmm, still no go.

    If I have my host computer set as .111 and the vmware server set as .112, and wireshark with promiscuous turned off I should be seeing traffic when I go to a website on the host computer, right? As it stands now it’s like it’s completely crapped out. I can get on the internet from the vmware server, but I can’t see any packets from any of the computers.

    I’ve been playing about with the Vmware server settings, but nothing seems to be helping. Is there anything special I have to do to vmware before running BT2?

    My network card is only reported to work under backtrack (D-Link DWL-G520), so could windows be operating the wireless connection (apparently vmware cannot see wireless cards) and sending that signal without promiscuous mode turned on back to the vmware server? It still wouldn’t make sense I cant see any local traffic though wireshark though...

    Any ideas?

  6. #6
    Just burned his ISO
    Join Date
    Jun 2008
    Posts
    4

    Default

    I think I figured it out...even though it makes no sense =/

    I remember when I first ran vmware server, I didn't know what linux type backtrack was, so I just selected Ubuntu. Running through some tutorials I remember seeing everyone recommend putting it on Linux 2.6.x instead. Well I changed it back to Ubuntu just now and it seems to be working again...but why?

    Is it just coincidence, or would selecting Ubuntu as the OS actually make some kind of difference?

  7. #7
    Just burned his ISO BlkUK's Avatar
    Join Date
    Mar 2008
    Posts
    15

    Cool

    Hey guys ive been having the same trouble. i too am using a bt3 vm and a xp vm (target). however i have found a solution.

    Packet forwarding needs to be turned on otherwise the bt3 vm will drop the connection between the hosts we are sniffing, ultimately causing a DOS.

    Run this in the shell before starting ettercap
    echo 1 > /proc/sys/net/ipv4/ip_forward

    I also read somwhere ettercap is suppost to start packet forwading automatically. but that doesnt seem to be the case with the BT3 release. or is that incorrect?

    irongeek.com/i.php?page=security/AQuickIntrotoSniffers

  8. #8
    Just burned his ISO
    Join Date
    Jan 2009
    Posts
    2

    Default

    I'm having the same problem, and I can't figure out how to fix it. I've tried running "echo 1 > /proc/sys/net/ipv4/ip_forward" both before and after opening ettercap, but it refuses to forward. I've checked all of those guides about configuring ettercap to work in older BT versions, and I've made sure that BT3 has the same configurations set (they were set properly by default). I've even tried disabling iptables (with the below commands) to make sure it wasn't a firewall issue... But it still won't forward. All other clients get disconnected.

    Code:
    To disable iptables:
    iptables -F
    iptables -t nat -F
    
    iptables -P INPUT  ACCEPT
    iptables -P FORWARD ACCEPT
    iptables -P OUTPUT ACCEPT
    
    
    Then check with:
    iptables -nvL
    iptables -nvL -t nat
    Does anyone have any other ideas? I can't figure this out for the life of me.

  9. #9
    Just burned his ISO
    Join Date
    Jan 2009
    Posts
    2

    Default

    I tried running a BT3 Live CD and I didn't have this problem, so I know I'm doing things right. So it seems that the problem has to have something to do with VMware.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •